Adam Engst (TidBITS-Talk, Hacker News, MacRumors):
If you are still using Microsoft Office 2019 for Mac, it will stop working fully on 13 July 2026. Word, Excel, PowerPoint, and Outlook will enter “reduced functionality mode”—a euphemism meaning you can view and print documents but cannot edit, save, or create new ones. Microsoft’s documentation doesn’t clarify what this means for Outlook users.
Why is this happening? A security certificate expiration is forcing Office 2019 into read-only mode, though Microsoft acknowledges this only obliquely in the FAQ. Without a current certificate, the apps can’t confirm you have a legitimate license.
[…]
At least in this case, Apple didn’t push users of older systems to buy new hardware—it just quietly kept things working. […] In contrast, Microsoft is quietly changing its story.
Consumer Rights Wiki:
After Office 2019 for Mac reached end of support in October 2023, Microsoft assured customers their installed apps would “continue to function.” The July 13, 2026 conversion instead drops the apps into a Microsoft-defined “reduced functionality mode,” in which files can be opened and viewed but not edited or saved. By May 30, 2026, the original 2023 end-of-support page had been re-dated and rewritten on Microsoft’s site; the “continue to function” clause was removed.
We thought the deal was that, if you purchase a perpetual license instead of subscribing, you don’t get feature upgrades but the apps keep working on the original hardware and OS version. Customers don’t like online license activation because it’s annoying and subject to temporary network or server problems. With smaller companies, there’s always the risk that they go out of business, and the server goes down, so you lose access to the app. (None of my apps use activation.) I didn’t expect that to be a danger for Mag 7 companies, but it turns out that Apple broke Mac App Store purchases for older OS versions (as well as movie and music purchases on newer hardware), and now Microsoft is letting its own activation break. I’m sure there’s something in the EULA that says they can end support, but it still feels like a violation of the social contract. The customer did their part by paying; it was the company that chose to impose the activation model in order to weed out cheaters; shouldn’t it then own any problems that creates?
But it’s actually worse than that because even subscribing to Office 365 doesn’t fix the problem. You need a newer version of Office, which necessitates a newer version of macOS, which may necessitate getting a new Mac—all to fix what seems like an artificial problem.
Amber Neely:
It’s also bricking its mobile apps on devices running iPadOS 16 and iOS 16 or earlier.
Previously:
App Subscriptions iOS iOS 16 iOS App Mac Mac App macOS 10.14 Mojave Microsoft Excel Microsoft Office Microsoft Outlook Microsoft PowerPoint Microsoft Word Sunset
Mysk:
We had lengthy discussions explaining the bug to Apple. It was clear to us the bug was new to Apple Product Security. After 5 months, they informed us that the report was treated as a duplicate and it was addressed.
We just got this update for CVE-2026-28910: No bounty.
[…]
It is hard to believe that our report was a duplicate. The bug was present in all previous macOS releases and now all of a sudden two independent reports addressed it at once!! What are the odds of that? We reported the bug in October 2025. Apple fixed it in March 2026. So they knew about this critical bug earlier than October and left it unpatched all this time?
Mysk:
We have a series of bad experiences with the way Apple Product Security treats our reports. It started with the clipboard, we spent lengthy exchanges convincing them it was a bug, they concluded it wasn’t an issue. When we published the demo we submitted to them, the media helped raise awareness about it. Pressured by social media demands, Apple introduced the clipboard notification in iOS.
And recently we reported a bug that the Passwords app would contact websites over HTTP to download icons. Same behavior: not an issue -> lengthy discussion -> FINE we fix it. Then they said our work didn’t meet their criteria for a bounty. After that and in iOS 26, they introduced this option in the settings (see screenshot). It is clearly based on our unpaid work that we fought hard to convince their team it was an issue.
Mysk:
We will no longer submit bugs we discover in Apple systems through Apple Bounty Program.
neils:
Apple did this to me in 2019 over a messages 0-click bug. So I did some magic and got myself added to their daily bug bounty standup call, which was just a FaceTime group call. I submitted another vuln with a screenshot of their call and got a threatening letter.
Lior Halphon:
A few years ago I reported a bug, which Apple fixed. When I asked for the bounty and credit, they ghosted me. They did eventually provide both the payout and the credit (although they listed the wrong affected OS versions in the security bulletin), but only after Twitter shaming.
That said, the whole experience never felt malicious or deliberate, it simply reeked of incompetence and severe lack of organization.
Denis Kanonik:
From my experience of reporting bugs to Apple - they never admit that you were the first, it’s always duplicate. Even if there are no bounty promised or expected and novelty is obvious.
Bob Burrough:
Apple peeps […] you should reward the effort expended by the 3rd party for helping secure your products…not whether the report is new to you….especially when the issue hasn’t yet been published. Even reviewing the duplicate helps you understand the bug.
Previously:
Apple Security Bounty Apple Software Quality Bug Mac macOS Tahoe 26 Security
Kıvanç Günalp:
fsck_hfs in macOS Sequoia (version hfs-683.x) has a cache exhaustion bug that reports false corruption on large HFS+ volumes. On machines with 8 GB RAM, volumes of 24 TB or larger trigger “Couldn’t read node” errors during the extended attributes check.
[…]
fsck_hfs pre-allocates a cache at startup — a pool of 32KB blocks used for all disk reads. The size of this pool is determined by available system RAM[…]
[…]
BTCheckUnusedNodes races through tens of thousands of free nodes, and every unique disk offset it touches gets a Tag_t structure allocated via calloc and inserted into the cache’s hash table. Each tag claims one 32KB buffer from the pool. When the release path runs, it returns the tag to the LRU list — but the LRU management doesn’t keep up with the rate of allocations.
[…]
The irony: a function designed to verify filesystem integrity is itself broken — reporting phantom corruption on perfectly valid volumes.
I’m surprised that we keep seeing new HFS+ bugs. I would have thought that code would be frozen by now.
Previously:
Bug HFS+ Mac macOS 15 Sequoia Storage
